Agentic Browser as an MV3 Extension: Safe Auto‑Agent AI in Chrome/Firefox with a Browser‑Agent Switcher, UA/Client‑Hints Harmony, and “What Is My Browser Agent” Telemetry
Auto‑agents are already browsing the web for us: filling forms, scraping docs, comparing prices, and gluing together workflows. The fashionable approach is to ship a custom headless browser or a remote puppeteer. That’s powerful, but it’s not store‑safe for end users, and it ignores the hard‑won security model and ergonomics of a modern browser.
This article describes a practical way to build a store‑safe agentic browser as a Manifest V3 extension that works in Chrome and Firefox. We’ll ship:
- A background service worker + content scripts architecture
- A per‑site policy engine that gates agent capabilities (observe, assist, autopilot)
- A browser‑agent switcher that harmonizes Chrome’s User‑Agent string and User‑Agent Client Hints (UA‑CH)
- A privacy‑preserving “What Is My Browser Agent” telemetry panel that shows the identity a site actually sees
- Concrete mitigations to reduce the security risk surface of a browser‑level agent
We’ll be pragmatic and opinionated about what is safe, what is shippable in the stores, and how to reconcile UA and Client Hints without breaking sites or tripping store policies.
TL;DR
- Make the agent an MV3 extension. Keep the UI in content scripts; do orchestration in a background service worker.
- Per‑site policies are non‑negotiable. Default to Observe; require a one‑click promote to Assist; Autopilot requires explicit, time‑boxed consent.
- Don’t spoof UA by default. Harmonize UA and Client Hints only when strictly necessary and only with explicit consent. In Chrome, prefer the Debugger protocol to override UA+metadata atomically; in Firefox, UA override via webRequest is acceptable (UA‑CH is mostly moot there).
- “What is my browser agent” telemetry lives on device by default, sampling only when users opt in. Measure UA, UA‑CH capabilities, and effective request identity without sending site content off device.
- Minimize permissions (activeTab, scripting, storage). Use runtime host permissions. Avoid broad webRequest interceptors in Chrome; prefer declarative APIs or content‑side telemetry.
1) Why an Agent as an MV3 Extension?
MV3 is restrictive by design (service workers, no persistent background pages, emphasis on declarative APIs). Those constraints are a feature: they press you to build a safer, faster, and more store‑friendly agent. You inherit:
- The browser’s sandbox and permission model.
- A clear separation between page context and extension logic via content scripts.
- Reviewable packages (no obfuscated code, no remote‑executed code) that pass Chrome Web Store and AMO policy checks.
- Cross‑browser reach without asking users to install a binary.
Opinion: it’s better to ship a slightly less powerful agent that lives within MV3’s safe rails than to run a headless automation stack that will be flagged or break at the next browser hardening update.
2) Architecture Overview (MV3)
We’ll compose the extension as:
- Background service worker (or event page in older Firefox): orchestration, policy engine, message bus, optional LLM calls.
- Content scripts: UI affordances, DOM reading, action execution with user confirmation.
- Action popup and options page: quick toggles + policy management.
- Optional offscreen document (Chrome) to render invisible DOM for parsing or to host an authenticated fetch flow that you do not want in page context.
- Optional “echo” API endpoint for header telemetry (opt‑in only) if you want to measure what a server actually receives.
Minimal MV3 manifest (Chrome‑centric), using runtime host permissions and no blocking webRequest listeners by default:
json{ "manifest_version": 3, "name": "Agentic Browser (Safe MV3)", "version": "0.1.0", "description": "Safe auto‑agent AI with per‑site policies, UA/Client‑Hints harmony, and on‑device telemetry.", "action": { "default_popup": "popup.html" }, "options_page": "options.html", "permissions": [ "activeTab", "scripting", "storage" ], "host_permissions": [ "<all_urls>" ], "background": { "service_worker": "background.js", "type": "module" }, "content_scripts": [ { "matches": ["<all_urls>"], "js": ["content.js"], "run_at": "document_idle" } ], "icons": { "16": "icons/16.png", "32": "icons/32.png", "128": "icons/128.png" } }
Notes:
- host_permissions can be requested at runtime; you can initially ship without <all_urls> and call chrome.permissions.request for the active site when the user enables Assist/Autopilot.
- For Chrome header overrides, you’ll add optional permissions later ("debugger"), gated behind UX and consent.
- For Firefox MV3, the background service worker exists, but feature parity differs. Where needed, detect features and fall back to webRequest or event pages. Use the “browser” polyfill to harmonize promises.
3) Per‑Site Policy Model (Observe → Assist → Autopilot)
Do not let an agent “just run.” Define explicit modes per origin (scheme+host+port):
- Observe: The agent can read the DOM, highlight affordances, and propose actions. No automated clicks/inputs.
- Assist: The agent may fill forms and propose actions; each action requires a user confirmation click.
- Autopilot: The agent can perform actions within explicit guardrails (time window, step budget, rate limits). Any risky action escalates to a confirm dialog.
Represent the policy store as a keyed dictionary and persist in chrome.storage.local so it syncs only locally by default.
ts// types.ts export type Mode = 'observe' | 'assist' | 'autopilot'; export interface SitePolicy { origin: string; // e.g., https://example.com mode: Mode; // observe | assist | autopilot expiresAt?: number; // epoch ms for autopilot timebox stepBudget?: number; // max steps before pausing rateLimit?: { perMinute: number }; allowedActions?: string[]; // e.g., ["fill", "click", "navigate"] blockedSelectors?: string[]; // never touch }
js// background.js (simplified) const POLICIES_KEY = 'sitePolicies'; async function getPolicy(origin) { const { [POLICIES_KEY]: map = {} } = await chrome.storage.local.get(POLICIES_KEY); return map[origin] || { origin, mode: 'observe' }; } async function setPolicy(policy) { const { [POLICIES_KEY]: map = {} } = await chrome.storage.local.get(POLICIES_KEY); map[policy.origin] = policy; await chrome.storage.local.set({ [POLICIES_KEY]: map }); } chrome.runtime.onMessage.addListener((msg, sender, sendResponse) => { (async () => { if (msg.type === 'GET_POLICY') { const url = new URL(sender.tab.url); const policy = await getPolicy(url.origin); sendResponse({ policy }); } if (msg.type === 'SET_POLICY') { await setPolicy(msg.policy); sendResponse({ ok: true }); } })(); return true; });
4) “Browser‑Agent Switcher” and UA/Client‑Hints Harmony
“Browser agent” can mean two intertwined things:
- The logical agent that controls your browser (human vs auto‑agent).
- The identity your browser presents on the network (User‑Agent string and Client Hints), which many sites use for compatibility and analytics.
If you ship a UA switcher without understanding UA‑CH, you will break sites. Chrome is reducing the UA string (UA Reduction) and moving detail into Client Hints (Sec‑CH‑UA*, see: https://chromium.org/updates/ua-reduction). If your extension only spoofs the UA string while the browser still sends real UA‑CH values, servers will detect mismatch and may serve broken content or flag you as a bot.
Opinionated guidance:
- Default to “Native” (no override). Prefer capability detection to UA heuristics.
- If you must override, do it atomically and consistently per tab:
- On Chrome: use the Debugger protocol Network.setUserAgentOverride to set both userAgent and userAgentMetadata in one call, per target. This best harmonizes UA and UA‑CH.
- On Firefox: UA‑CH is largely not sent, so you only need to set User‑Agent. Use webRequest to modify the User‑Agent header per request (MV3 still allows blocking listeners in Firefox). Do not attempt to fabricate UA‑CH values.
- Never spoof to evade anti‑fraud. Only spoof to increase compatibility (e.g., old enterprise apps) and only with user consent, per site, for a limited time.
4.1 Chrome: Harmonized override via Debugger API
Pros: atomic override of UA + UA‑metadata that controls UA‑CH. Cons: requires the "debugger" permission and attaches to a tab (scary prompt). Use only when the user explicitly enables a harmonized profile.
js// background.js (Chrome only): attach debugger and set UA override async function withDebugger(tabId, fn) { const target = { tabId }; await chrome.debugger.attach(target, '1.3'); try { await fn(target); } finally { try { await chrome.debugger.detach(target); } catch {} } } async function applyUAProfile(tabId, profile) { // profile: { uaString, platform, platformVersion, architecture, model, fullVersionList } await withDebugger(tabId, async (target) => { await chrome.debugger.sendCommand(target, 'Network.enable', {}); await chrome.debugger.sendCommand(target, 'Network.setUserAgentOverride', { userAgent: profile.uaString, userAgentMetadata: { platform: profile.platform, // "Windows", "macOS", "Android", etc. platformVersion: profile.platformVersion, // e.g., "15.0.0" architecture: profile.architecture, // "x86", "arm" model: profile.model || "", fullVersionList: profile.fullVersionList // [{brand:"Chromium", version:"120"}, ...] } }); }); }
Profiles should be curated from real data (do not invent impossible combinations). Example profile:
jsconst profiles = { chrome_win: { uaString: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36", platform: "Windows", platformVersion: "10.0.0", architecture: "x86", model: "", fullVersionList: [ { brand: "Chromium", version: "121" }, { brand: "Not(A:Brand)", version: "24" }, { brand: "Google Chrome", version: "121" } ] } };
UX pattern: the popup shows “Browser‑Agent: Native | Chrome/Windows | Chrome/macOS”. Selecting a non‑Native profile calls applyUAProfile(tabId, profile). Offer a “Restore Native” button.
4.2 Firefox: Per‑request UA override via webRequest
Firefox MV3 provides blocking webRequest in a way Chrome MV3 does not. You can safely set only the User‑Agent header (UA‑CH is typically not present). Keep it per‑site and optional.
js// background.js (Firefox only) const ff = typeof browser !== 'undefined' ? browser : chrome; function enableFirefoxUAOverride(origin, uaString) { const filter = { urls: [origin + '/*'] }; const listener = (details) => { const headers = details.requestHeaders.filter(h => h.name.toLowerCase() !== 'user-agent'); headers.push({ name: 'User-Agent', value: uaString }); return { requestHeaders: headers }; }; ff.webRequest.onBeforeSendHeaders.addListener( listener, filter, ["blocking", "requestHeaders"] ); return () => ff.webRequest.onBeforeSendHeaders.removeListener(listener); }
Be aware AMO reviewers expect a clear user value and a per‑site toggle. Do not ship a global UA override by default.
4.3 Do not rely on Accept‑CH as a fix
Servers historically used Accept‑CH to request hints, but recent changes prefer Permissions‑Policy (e.g., "ch-ua-model=*"), and browsers have tightened CH delivery. Extensions should not try to coerce CH through response header modifications; it’s brittle and can confuse sites. Harmonize at the source (Debugger on Chrome) or abstain.
5) “What Is My Browser Agent” Telemetry (Privacy‑First)
Users need to see what identity a site perceives. Provide a panel that shows:
- UA string: navigator.userAgent
- UA‑CH availability: navigator.userAgentData (if present)
- High‑entropy UA‑CH values (with explicit user gesture): brands, model, platform, architecture, bitness, fullVersionList
- Request‑observed identity (optional): what a server actually saw for a test request
Design principles:
- Local by default: collect and store on device only.
- Opt‑in for any remote echo service. If used, sample sparsely and redact path/query.
- Never collect page content or form values.
Content script snippet that queries UA and UA‑CH and sends to background:
js// content.js (function () { async function collectUA() { const uaStr = navigator.userAgent; const data = { ua: uaStr, ch: null }; if (navigator.userAgentData && navigator.userAgentData.getHighEntropyValues) { try { const ch = await navigator.userAgentData.getHighEntropyValues([ 'architecture', 'bitness', 'model', 'platform', 'platformVersion', 'fullVersionList' ]); data.ch = { mobile: navigator.userAgentData.mobile, brands: navigator.userAgentData.brands, ...ch }; } catch {} } chrome.runtime.sendMessage({ type: 'UA_TELEMETRY', data }); } // Run once per navigation if (document.visibilityState !== 'prerender') collectUA(); })();
Background handler and storage:
js// background.js const UA_LOG_KEY = 'uaTelemetry'; chrome.runtime.onMessage.addListener((msg, sender, sendResponse) => { (async () => { if (msg.type === 'UA_TELEMETRY') { const url = sender?.tab?.url ? new URL(sender.tab.url) : null; const origin = url ? url.origin : 'unknown'; const entry = { ts: Date.now(), origin, data: msg.data }; const { [UA_LOG_KEY]: arr = [] } = await chrome.storage.local.get(UA_LOG_KEY); arr.push(entry); // Cap logs to last N entries to avoid unbounded growth while (arr.length > 2000) arr.shift(); await chrome.storage.local.set({ [UA_LOG_KEY]: arr }); sendResponse({ ok: true }); } })(); return true; });
Optional “server‑observed” echo (opt‑in):
- Host an endpoint that echoes request headers back as JSON (e.g., /echo). From the background SW, perform a fetch to https://echo.example/echo with credentials off and no referrer, then store the echoed headers. Always show the endpoint domain, and allow users to disable it.
jsasync function serverObservedIdentity() { const res = await fetch('https://echo.example/echo', { method: 'GET', credentials: 'omit', cache: 'no-store', referrerPolicy: 'no-referrer' }); const json = await res.json(); // Expect { headers: {...}, ip: 'x.x.x.x' } return json; }
In your popup/options, render a simple “What is my browser agent?” panel with fields and a “Run server check” button that triggers serverObservedIdentity only when clicked.
6) Agent Execution Model: Safe by Construction
An agent is risky by default. Constrain it:
- Capability scoping by site policy (Observe/Assist/Autopilot). Don’t ship a universal autopilot.
- Narrow action vocabulary: fill text fields, click visible buttons/links, select options, scroll, wait for element, navigate within same origin. Exclude risky actions by default (downloading files, opening new tabs, pasting clipboard, uploading files) unless explicitly allowed.
- Minimal data access: content scripts may read visible text and element attributes; they do not access cookies, storage, or response bodies. If you need network data, do a fetch from background with explicit host permission and CORS awareness.
- Explicit user confirmation in Assist mode: show a diff (field name + new value length), target element preview, and a 3‑second grace period to cancel.
- Rate limiting and step budgets: guard against loops.
- Respect robots.txt and site ToS. Do not auto‑agent on sites that prohibit automation.
Content script action performer:
js// content.js (action executor) chrome.runtime.onMessage.addListener((msg, _sender, sendResponse) => { if (msg.type === 'EXECUTE_ACTION') { const res = execute(msg.action); sendResponse(res); } }); function execute(action) { try { switch (action.kind) { case 'fill': { const el = document.querySelector(action.selector); if (!el || !(el instanceof HTMLInputElement || el instanceof HTMLTextAreaElement)) { return { ok: false, error: 'No input at selector' }; } el.focus(); el.value = action.value; el.dispatchEvent(new Event('input', { bubbles: true })); return { ok: true }; } case 'click': { const el = document.querySelector(action.selector); if (!el || !(el instanceof HTMLElement) || !isVisible(el)) { return { ok: false, error: 'Not clickable' }; } el.scrollIntoView({ block: 'center', inline: 'center' }); el.click(); return { ok: true }; } case 'navigate': { const url = new URL(action.href, location.href); if (url.origin !== location.origin) { return { ok: false, error: 'Cross‑origin navigate blocked' }; } location.href = url.href; return { ok: true }; } default: return { ok: false, error: 'Unknown action' }; } } catch (e) { return { ok: false, error: String(e) }; } } function isVisible(el) { const rect = el.getBoundingClientRect(); return rect.width > 0 && rect.height > 0 && getComputedStyle(el).visibility !== 'hidden'; }
Background orchestrator ensures policy compliance and adds confirmation gates:
js// background.js (policy‑aware dispatcher) async function dispatchAction(tabId, origin, action) { const policy = await getPolicy(origin); if (policy.mode === 'observe') return { ok: false, error: 'Observe‑only' }; if (policy.mode === 'assist') { const ok = await confirmAction(tabId, action); if (!ok) return { ok: false, error: 'User declined' }; } if (policy.mode === 'autopilot') { const now = Date.now(); if (policy.expiresAt && now > policy.expiresAt) return { ok: false, error: 'Autopilot expired' }; if (policy.stepBudget != null) { policy.stepBudget -= 1; await setPolicy(policy); if (policy.stepBudget < 0) return { ok: false, error: 'Step budget exceeded' }; } } return chrome.tabs.sendMessage(tabId, { type: 'EXECUTE_ACTION', action }); } async function confirmAction(tabId, action) { // Implement a lightweight modal via content script UI or the popup. return new Promise((resolve) => { chrome.tabs.sendMessage(tabId, { type: 'CONFIRM_ACTION', action }, (resp) => { resolve(resp?.ok === true); }); }); }
7) Security Mitigations for Browser‑Agent Risk
- Principle of least privilege
- Permissions: activeTab, scripting, storage. Request host permissions at runtime per site. Avoid broad permissions like tabs, webRequestBlocking by default in Chrome.
- No remote code execution. Fetching model outputs is fine; injecting remote JS is not. No eval/new Function.
- Content script isolation
- MV3 runs content scripts in an isolated world—keep it that way. If you need to operate in the page world, use a tiny, audited bridge only for events that require it.
- Sanitize selectors sourced from model outputs; prefer a constrained selector DSL (data‑testids, role‑based queries) to free‑form CSS/XPath.
- Data boundaries
- Never exfiltrate cookies, storage, or credentials. Background fetches should be anonymous by default (credentials: 'omit') unless explicitly justified and visible to the user.
- Redact secrets from the DOM if you must send context to a model (mask tokens/password fields, SSNs). Keep the masking code on device and open‑source.
- Guardrails on autonomy
- Time‑box Autopilot (e.g., 10 minutes) and provide a persistent badge indicating autonomy is active.
- Step budgets and rate‑limits per origin.
- Auto‑pause on unexpected prompts (e.g., file download, alert dialogs) and require user confirm.
- Store compliance
- Chrome Web Store: no obfuscation, no bundled native code, be explicit about data usage, avoid the debugger permission unless strictly needed and well‑justified in the listing.
- AMO: similar constraints; webRequest usage is reviewed carefully—explain UA override and keep it per‑site with clear UX.
8) Cross‑Browser Differences and Feature Detection
- Background worker: Chrome MV3 uses service workers. Firefox MV3 supports service workers, but older versions may still rely on event pages. Detect and polyfill.
- declarativeNetRequest: robust in Chrome, limited in Firefox. Avoid relying on DNR for UA unless you are very sure; prefer Debugger (Chrome) or webRequest (Firefox) for UA overrides.
- UA‑CH: widely shipped in Chromium, not broadly in Firefox. Your “harmony” logic should effectively be Chrome‑only.
- offscreen documents: available in Chrome; not in Firefox (use hidden tabs or content scripts).
Use the WebExtensions polyfill:
html<script src="https://unpkg.com/webextension-polyfill"></script>
Then prefer browser.* with promises where available.
9) Popup UI and Switcher Workflow
The popup offers quick toggles:
- Per‑site policy: Observe | Assist | Autopilot (with expiry + step budget)
- Browser‑Agent identity: Native | Profile A | Profile B | Restore
- Run “What is my browser agent?” measurement (local and optional server‑observed)
Popup script (simplified):
js// popup.js async function init() { const [tab] = await chrome.tabs.query({ active: true, currentWindow: true }); const origin = new URL(tab.url).origin; const policy = (await chrome.runtime.sendMessage({ type: 'GET_POLICY' })).policy; renderPolicy(policy); document.getElementById('mode').onchange = async (e) => { const mode = e.target.value; const newPolicy = { ...policy, origin, mode }; if (mode === 'autopilot') { newPolicy.expiresAt = Date.now() + 10 * 60 * 1000; newPolicy.stepBudget = 50; } await chrome.runtime.sendMessage({ type: 'SET_POLICY', policy: newPolicy }); }; document.getElementById('uaProfile').onchange = async (e) => { const profileName = e.target.value; if (profileName === 'native') { // Attach debugger with an empty override to restore? Simpler: reload tab. chrome.tabs.reload(tab.id); return; } await chrome.runtime.sendMessage({ type: 'APPLY_UA_PROFILE', tabId: tab.id, profileName }); }; } init();
Background handler for UA profile selection (Chrome‑only path shown; guard with feature detection):
jschrome.runtime.onMessage.addListener((msg, _sender, sendResponse) => { (async () => { if (msg.type === 'APPLY_UA_PROFILE') { if (!chrome.debugger) { sendResponse({ ok: false, error: 'No debugger API' }); return; } const { tabId, profileName } = msg; const profile = profiles[profileName]; if (!profile) { sendResponse({ ok: false, error: 'Unknown profile' }); return; } try { await applyUAProfile(tabId, profile); sendResponse({ ok: true }); } catch (e) { sendResponse({ ok: false, error: String(e) }); } } })(); return true; });
10) LLM Integration Without Violating Store Policies
- You may call remote APIs (OpenAI, Anthropic, your server) from the background worker to plan actions. That’s allowed.
- Do not fetch and execute remote code or models inside the extension context. If you ship an on‑device model, bundle it transparently (WASM/weights) and avoid obfuscation.
- Keep prompts and redaction code visible and auditable. It helps store reviewers and users trust your approach.
An example orchestration loop:
jsasync function planNextActions(context) { const prompt = [ 'You are a browsing assistant. You can propose only these actions:', '- click(selector)', '- fill(selector, value)', '- navigate(href)', 'Selectors must refer to visible elements; never submit passwords.', 'Given the following DOM summary and goal, propose at most 1 action.' ].join('\n'); const body = { model: 'gpt-4o-mini', messages: [ { role: 'system', content: prompt }, { role: 'user', content: JSON.stringify(context) } ], temperature: 0 }; const res = await fetch('https://api.example.ai/chat', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body) }); const json = await res.json(); return parseAction(json.choices[0].message.content); }
Ensure the content script provides a redacted DOM summary (e.g., visible text snippets and labeled controls) rather than raw HTML with secrets.
11) Testing and Store Checklists
Pre‑submission checklist for Chrome Web Store:
- Minimal permissions; justify each in the listing. If you ship "debugger", clearly explain it’s for per‑site UA harmonization and requires explicit user consent.
- No code obfuscation. No remote JS execution. No eval.
- Data usage disclosure: enumerate telemetry fields (UA string, UA‑CH values, origin, timestamps), retention policy, and user controls to delete.
- Respect the offscreen document quota. Do not keep long‑lived offscreen pages without activity.
- Do not intercept or modify headers globally. Keep UA overrides opt‑in, per‑site, and reversible.
AMO (Firefox) checklist:
- If using webRequest (blocking), keep the URL filters narrowly scoped and explain usage in the submission notes.
- No broad host permissions unless necessary; prefer runtime grants.
- Provide a clear toggle for UA override and an easy reset.
Automated testing ideas:
- Unit‑test selector safety and blockedSelectors enforcement.
- End‑to‑end tests using WebDriver BiDi or Puppeteer (for Chromium) to drive the extension and ensure Observe/Assist/Autopilot gates function as intended.
- Snapshot tests of the telemetry panel to ensure no accidental inclusion of page content.
12) Failure Modes and How to Avoid Them
- UA mismatch breaks site: if users report a site failing after enabling a profile, offer a one‑click restore to Native and reload. Provide a small explainer about UA‑CH.
- Infinite action loops: impose step budgets and detect repetitive actions by hashing recent action sequences.
- Sensitive field autofill: maintain a denylist of input[type=password], common secret patterns, and ARIA labels. Require explicit user action to proceed if a model proposes touching them.
- Cross‑origin navigations: require confirm; consider disabling autopilot for cross‑origin changes unless whitelisted.
13) Example: Shipping a Store‑Safe Minimal Agent
-
MVP scope:
- Observe and Assist only (no Autopilot yet)
- No UA override by default; include the telemetry panel and a clear explanation about UA/CH
- Per‑site policy toggles and runtime host permission requests
- DOM redaction and explicit confirmation dialogs for writes
-
Roadmap:
- Add Autopilot with time‑boxing and step budgets
- Offer optional UA harmonized profiles (Chrome Debugger, Firefox webRequest) with consent
- Add optional server‑observed telemetry for users who want to debug compatibility issues
This path gets you live in stores while you build trust and gather feedback.
14) References and Further Reading
- Chromium UA Reduction: https://www.chromium.org/updates/ua-reduction
- User‑Agent Client Hints Explainer: https://wicg.github.io/ua-client-hints/
- Chrome Extensions MV3 docs: https://developer.chrome.com/docs/extensions/
- Firefox MV3 status: https://extensionworkshop.com/documentation/publish/manifest-v3-migration-guide/
- Debugger API: https://developer.chrome.com/docs/extensions/reference/debugger
- Privacy principles for telemetry: https://research.google/pubs/pub45526/ (RAPPOR) and differential privacy primers
15) Conclusion
Agentic browsing does not need to be a binary between wild headless automation and a passive assistant. MV3 gives us a principled, store‑safe middle path: a background service worker that plans, content scripts that execute under explicit, per‑site policies, and a user‑visible identity model that respects how modern browsers expose themselves to servers. If you harmonize UA and Client Hints only when necessary (and do so atomically), ship privacy‑first telemetry, and embrace capability scoping, you’ll deliver a useful auto‑agent that users—and stores—can trust.
The hardest part is not writing code; it’s choosing safe defaults and building the guardrails you hope you’ll never need. Do that, and your agent can live comfortably inside the browser rather than trying to pretend it isn’t one.